Brave Browser 0.23.19 – DLL Injection/Code execution

A local DLL Loading Vulnerability has been discovered in the official Brave Browser v0.23.19 Web Browser. A DLL hacker vulnerability that could allow an unauthenticated remote attacker to manipulate a specific DLL and execute arbitrary code on an affected system without the user’s knowledge.

Product & Service Introduction:
===============================
Brave is a free and open-source pay-to-surf web browser developed by Brave Software Inc. based on the Chromium web browser and its Blink engine.
The browser blocks ads and website trackers.
Currently, the company is developing a feature that allows users to opt in to receiving ads sold by Brave Software in place of the blocked ads

(Copy of the Vendor Homepage: https://brave.com/)

Vulnerable Software:
[+] Brave Browser

Vulnerable Version(s):
[+] v0.23.19

Affected Libraries:
[+] CRYPTSP.dll

Date of Discovery:
==================
2018-07-21

Exploitation Technique:
=======================
Local

Platfom Tested:
===============
Windows 7 & 10

Solution – Fix & Patch:
=======================
1/ Whenever possible, use a full path when loading a library.
2/ Delete the current directory from the search path by using ‘SetDLLDirectory;’
3/ Do not use ‘SearchPath’ to locate a library. ‘SearchPath’ was not intended to search for libraries to load into the application’s process space and uses an unsecured search order.
4/ Do not attempt to load libraries only to identify the version of Windows. Instead, use ‘GetVersionEx’ or a similar function offered by the Windows API.

Levels Risk :

Proof of Concept (PoC):
=======================
A Local DLL Loading vulnerability that could allow an unauthenticated remote attacker to manipulate a specific DLL and execute
arbitrary code on an affected system without the user’s knowledge. Example (trojan horse or a ransonmware) For security demonstration or
to reproduce the vulnerability follow the provided information and steps below to continue